| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
2.010 2014/01/14
- new options SSL_client_ca_file and SSL_client_ca to let the server send
the list of acceptable CAs for the client certificate.
- t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay.
RT#101485, thanks to TEAM.
|
|
1.67 2015-01-17
Improvements to inc/Module/Install/PRIVATE/Net/SSLeay.pm to handle the
case whe there are muliple OPENSSLs installed. Patch from HBRAND
Fixed a documentation error in get_peer_cert_chain, reported by tejas.
Fixed a problem with building on Windows that prevented correct OpenSSL
directory detection with version 1.0.1j as delivered with Shining Light OpenSSL.
Fixed a problem with building on Windows that prevented finding MT or MD
versions of SSL libraries.
Updated doc in README.Win32 to build with Microsoft Visual Studio 2010 Express.
Added Windows crypt32 library to Windows linking as some compilers/platforms seem to
require it and it is innocuous otherwise. For Steve Hay.
Fixed a failure in t/external/20_cert_chain.t where some platforms do not
have HTTPS in /etc/services. Reported and patched by Gisle Aas.
Recent 1.0.2 betas have dropped the SSLv3_method function.
This patch leaves out the function on newer versions, much the same as
the SSLv2 deprecation is handled. Patch from Tom Molesworth.
Fix the ALPN test, which was incorrectly failing on OpenSSL due to the
LibreSSL check (earlier versions bailed out before that line).Patch from
Tom Molesworth.
|
|
0.7.2 - 2015-01-16
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.1l.
* ``enum34`` is no longer installed on Python 3.4, where it is included in
the standard library.
* Added a new function to the OpenSSL bindings to support additional
functionality in pyOpenSSL.
|
|
(Ooops, what happened here.)
|
|
|
|
It's not available.
ftp://ftp.belnet.be/pub/OpenBSD/OpenSSH/portable/ (capitalize openbsd) is
availabe, but it's a mirror, not the special old distfile holder.
Moreover, mirrors have good enough old versions, and "old" subdirectory
have much old distfiles.
|
|
From Matthias Ferdinand on pkgsrc-users.
|
|
* Version 1.0.1
- DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
collisions with similar macros defined by other libraries.
- sodium_bin2hex() is now constant-time.
- crypto_secretbox_detached() now supports overlapping input and output
regions.
- NaCl's donna_c64 implementation of curve25519 was reading an extra byte
past the end of the buffer containing the base point. This has been
fixed.
|
|
From ISIHARA Takanori in PR 49576.
Bump PKGREVISION.
|
|
Bump PKGREVISION.
|
|
Bump PKGREVISION.
|
|
2.009 2014/01/12
- remove util/analyze.pl. This tool is now together with other SSL tools in
https://github.com/noxxi/p5-ssl-tools
- added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) thanks to TEAM,
RT#101452
|
|
2015-01-12 Gisle Aas <gisle@ActiveState.com>
Release 2.54
David Mitchell: silence some compiler warnings
Jonathan Hall: Add ->context() feature
Steve Hay: Sync with blead
bulk88: const the vtable
zefram: 5.6 threads test fix
|
|
python versions' packages don't conflict. Add ALTERNATIVES file.
Bump PKGREVISION.
|
|
Upstream changes:
5.95 Sat Jan 10 12:15:36 MST 2015
- modified the bit-ordering test (ref. t/bitorder.t)
-- supplied directory-change preamble for CORE builds
5.94 Sat Jan 10 00:45:28 MST 2015
- added support for threaded builds
-- PERL_GET_NO_CONTEXT, pTHX_, aTHX_, etc.
-- employed 'const' storage class where possible
-- ref. rt.cpan.org #101260
- simplified shabits() routine (bitwise input buffering)
-- slightly less efficient but easier to understand
-- ref. rt.cpan.org #101344
- minor documentation tweaks and additions
|
|
|
|
Before 1.6.0 version, libgcrypt called pth_init() on it's own,
in later version dirmngr has to be the one to call pth_init().
With this dirmngr actually works (does not seg fault immediately).
Since it's a runtime problem, PKGREVISION bumped.
OK@ wiz
|
|
Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
(CVE-2014-3571)
[Steve Henson]
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
dtls1_buffer_record function under certain conditions. In particular this
could occur if an attacker sent repeated DTLS records with the same
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
(CVE-2015-0206)
[Matt Caswell]
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
(CVE-2014-3569)
[Kurt Roeckx]
*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
(CVE-2014-3572)
[Steve Henson]
*) Remove non-export ephemeral RSA code on client and server. This code
violated the TLS standard by allowing the use of temporary RSA keys in
non-export ciphersuites and could be used by a server to effectively
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
(CVE-2015-0204)
[Steve Henson]
*) Fixed issue where DH client certificates are accepted without verification.
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client to
authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
(CVE-2015-0205)
[Steve Henson]
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
The session ID context is typically set from the parent SSL_CTX,
and can vary with the CTX.
[Adam Langley]
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
Thanks to Konrad Kraszewski from Google for reporting this issue.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
(CVE-2014-8275)
[Steve Henson]
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
results on some platforms, including x86_64. This bug occurs at random
with a very low probability, and is not known to be exploitable in any
way, though its exact impact is difficult to determine. Thanks to Pieter
Wuille (Blockstream) who reported this issue and also suggested an initial
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
(CVE-2014-3570)
[Andy Polyakov]
*) Do not resume sessions on the server if the negotiated protocol
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
[David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
[Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
[Emilia Käsper]
|
|
|
|
|
|
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=817472358a093438e802380caecf7139406400cf;hp=8c5eee51d9a25b143e41ffb7ff4a6b2a29b82d83
Bump PKGREVISION.
|
|
There is no useful changelog, but it makes the client work again a recent
OpenSSH server (6.7p1-hpn14v5) again. Tested with "duplicity".
|
|
|
|
|
|
|
|
Allow option to set subject.
|
|
similar encryption strength.
|
|
XXX: No idea why I missed that when updating the package.
|
|
|
|
|
|
0.7.1 - 2014-12-28
~~~~~~~~~~~~~~~~~~
* Fixed an issue preventing compilation on platforms where ``OPENSSL_NO_SSL3``
was defined.
0.7 - 2014-12-17
~~~~~~~~~~~~~~~~
* Cryptography has been relicensed from the Apache Software License, Version
2.0, to being available under *either* the Apache Software License, Version
2.0, or the BSD license.
* Added key-rotation support to :doc:`Fernet </fernet>` with
:class:`~cryptography.fernet.MultiFernet`.
* More bit-lengths are now support for ``p`` and ``q`` when loading DSA keys
from numbers.
* Added :class:`~cryptography.hazmat.primitives.interfaces.MACContext` as a
common interface for CMAC and HMAC and deprecated
:class:`~cryptography.hazmat.primitives.interfaces.CMACContext`.
* Added support for encoding and decoding :rfc:`6979` signatures in
:doc:`/hazmat/primitives/asymmetric/utils`.
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to
support the loading of OpenSSH public keys (:rfc:`4253`). Only RSA and DSA
keys are currently supported.
* Added initial support for X.509 certificate parsing. See the
:doc:`X.509 documentation</x509>` for more information.
|
|
|
|
Collection.
Password management should be simple and follow Unix philosophy. With pass,
each password lives inside of a gpg encrypted file whose filename is the title
of the website or resource that requires the password. These encrypted files
may be organized into meaningful folder hierarchies, copied from computer to
computer, and, in general, manipulated using standard command line file
management utilities.
pass makes managing these individual password files extremely easy. All
passwords live in ~/.password-store, and pass provides some nice commands for
adding, editing, generating, and retrieving passwords. It is a very short and
simple shell script. It's capable of temporarily putting passwords on your
clipboard and tracking password changes using git
|
|
noise.
Pointed out by wiz and obache, thanks!
|
|
This is a collection of both secure hash functions (such as SHA256 and
RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal,
etc.). The package is structured to make adding new modules easy.
One possible application of the modules is writing secure administration
tools. Another application is in writing daemons and servers. Clients
and servers can encrypt the data being exchanged and mutually
authenticate themselves; daemons can encrypt private data for added
security. Python also provides a pleasant framework for prototyping and
experimentation with cryptographic algorithms; thanks to its
arbitrary-length integers, public key algorithms are easily implemented.
|
|
In lib/x509/rfc2818_hostname.c, ipv6 related structs are used, but
at least on FreeBSD, arpa/inet.h does not contains the necessary
structs. If netinet/in.h is present, we use it instead of arpa/inet.h.
Reviewed by wiz
|
|
Remove now unnecessary overrides in various packages.
|
|
|
|
|
|
QtKeychain is a Qt API to store passwords and other secret data
securely. How the data is stored depends on the platform.
|
|
packaged for wip by nros.
The Qore xmlsec module gives Qore programs the possibility to support
XML signature(xmldsig) and XML encryption(xmlenc) as defined by W3C.
|
|
packaged for wip by nros.
The ssh2 module provides Qore the possibility to communicate with sshd
servers via the ssh2 protocol; the underlying functionality is provided
by libssh2.
|
|
packaged for wip by nros.
ASN.1(Abstract Syntax Notation One) module for Qore provides an API to
dynamically create, parse and convert ASN.1 data structures to concrete
output formats (like DER).
|
|
|
|
0.51 - 2014-12-17
- Update README file
- Work around gpg2 bug by omitting --homedir during symmetric
encryption
|
|
2.008 2014/12/16
- work around recent OCSP verification errors for revoked.grc.com (badly signed
OCSP response, Firefox also complains about it) in test t/external/ocsp.t.
- util/analyze.pl - report more details about preferred cipher for specific TLS
versions
|
|
to mozilla upstream.
|
|
add LICENSE
|
|
PR pkg/49499 by Sevan Janiyan.
|
|
|
